bobbyb1980 Posted May 22, 2012 Share Posted May 22, 2012 Hey guys, having a small problem with redirect.php that's driving me insane. Probably nothing, but it's starting to eat up time. <?php $ref = $_SERVER['HTTP_REFERER']; if (strpos($ref, "facebook")) { header('Location: facebook.html'); } if (strpos($ref, "twitter")) { header('Location: twitter.html'); } if (strpos($ref, "hotmail")) { header('Location: Hotmail.htm'); } if (strpos($ref, "live")) { header('Location: Hotmail.htm'); } if (strpos($ref, "gmail")) { header('Location: Gmail.htm'); } if (strpos($ref, "yahoo")) { header('Location: Yahoo.htm'); } require('peets.html'); ?> The problem is when I type "facebook.com" into my VM's browser it just hangs at "facebook.com/redirect.php" and nothing displays on the page. It seems that there is an issue in redirect.php but I can't seem to finger it. The victim machine is an XP SP2 box running firefox 12. The victim is being redirected to this malicious site via an edited hosts file. The server has been tested and PHP5 is working, it's an Ubuntu Server running apache2 for the webserver. Quote Link to comment Share on other sites More sharing options...
bobbyb1980 Posted May 23, 2012 Author Share Posted May 23, 2012 Could be wrong, but I'm starting to think many browsers can recognize php redirect code and flag it as phishing attempts. Quote Link to comment Share on other sites More sharing options...
PineDominator Posted May 23, 2012 Share Posted May 23, 2012 Could be wrong, but I'm starting to think many browsers can recognize php redirect code and flag it as phishing attempts. try putting your redirect code IE redirect.php into index.php aka the landing page. Quote Link to comment Share on other sites More sharing options...
bobbyb1980 Posted May 23, 2012 Author Share Posted May 23, 2012 Thanks for the help peter. I'm using the exact method Darren posted, so index.html that points to redirect.php, etc etc. I tried creating an index.php and copied the redirect code into it, but no luck. Quote Link to comment Share on other sites More sharing options...
bobbyb1980 Posted May 23, 2012 Author Share Posted May 23, 2012 (edited) Starting to see what you mean peter but I don't think apache2 is picking up on index.php for whatever reason. Looked in /etc/apache/apache2.conf and didn't see anything about index.php/html or landing pages in general, but did notice a reference to a .htaccess file. Would you be able to advise me if I should look further in apache's config files or would I need to create a .htaccess file to get it to recognize index.php (With the redirect code) as the landing page? EDIT - added "DirectoryIndex index.php" to /etc/apache2/httpd.conf but still no luck. Edited May 23, 2012 by bobbyb1980 Quote Link to comment Share on other sites More sharing options...
bobbyb1980 Posted May 23, 2012 Author Share Posted May 23, 2012 (edited) Got apache2 to recognize index.php as the landing page after adding the same line in .htaccess as I did in httpd.conf. Is this what my index.php file should look like to properly execute this attack? <?php $ref = $_SERVER['HTTP_REFERER']; if (strpos($ref, "facebook")) { header('Location: facebook.html'); } require('peets.html'); ?> Everything seems to be working, but it is not redirecting properly, it keeps redirecting the requests to peets.html even though facebook.com was typed into the browser. Edited May 23, 2012 by bobbyb1980 Quote Link to comment Share on other sites More sharing options...
bobbyb1980 Posted May 23, 2012 Author Share Posted May 23, 2012 Solved. For all those out there wondering, to get this setup working in apache, first you need to edit the httpd.conf to recognize index.php as the landing page (if that doesn't work then add the same line in /var/www/.htaccess). The create index.php and paste the following could and it should work fine. Tested with firefox and IE in Windows and it seems to be working ok. <?php $ref = $_SERVER['HTTP_HOST']; if (strpos($ref, 'facebook.com') !== FALSE){ include('facebook.html') ;} if (strpos($ref, 'twitter.com') !== FALSE){ include('twitter.html') ;} exit; require('error.php'); ?> Quote Link to comment Share on other sites More sharing options...
PineDominator Posted May 23, 2012 Share Posted May 23, 2012 Im glad you got it figured:-D but I don't know what all this apache stuff is for, I have never had to mess with or have come across it? What version of pineapple is it? as well as firmware version? Quote Link to comment Share on other sites More sharing options...
Sebkinne Posted May 23, 2012 Share Posted May 23, 2012 Im glad you got it figured:-D but I don't know what all this apache stuff is for, I have never had to mess with or have come across it? What version of pineapple is it? as well as firmware version? I was wondering the same thing. Either he is using a web-server on his virtual machine OR he has installed Apache2 as the web-server on the pineapple. The reason this is not done by default is because uhttpd is much smaller and lightweight. Either way, glad you got it sorted out! Quote Link to comment Share on other sites More sharing options...
bobbyb1980 Posted May 24, 2012 Author Share Posted May 24, 2012 I use a different method with my pineapple. I prefer not to use arp-based spoofing attacks as I've had it set off alarms in certain victims. Without going into a 10 page explanation, simply put - I prefer to use create my own DNS zones files and host them on a remote bind9 DNS server. The DNS server, redirects all the desired sites to an apache2 server. This way the victim can still get internet if they're not going to one of the phish'd sites. The apache2 server is configured exactly like the httpd server on the pineapple would be. Since it is over the internet I prefer to use apache for security reasons. Definitely need to brush up on my PHP : ( Quote Link to comment Share on other sites More sharing options...
telot Posted May 24, 2012 Share Posted May 24, 2012 I use a different method with my pineapple. I prefer not to use arp-based spoofing attacks as I've had it set off alarms in certain victims. Without going into a 10 page explanation, simply put - I prefer to use create my own DNS zones files and host them on a remote bind9 DNS server. The DNS server, redirects all the desired sites to an apache2 server. This way the victim can still get internet if they're not going to one of the phish'd sites. The apache2 server is configured exactly like the httpd server on the pineapple would be. Since it is over the internet I prefer to use apache for security reasons. Definitely need to brush up on my PHP : ( That sounds awesome bobbi! I'm sure I wouldn't be the only one who'd love a how-to guide on this. If you're up to it, I think itd be a great addition to combine with the other remote server based features like reverse ssh, cron'd remote log uploading, etc telot Quote Link to comment Share on other sites More sharing options...
bobbyb1980 Posted May 24, 2012 Author Share Posted May 24, 2012 Hey telot, I've actually been working on a python script that create zones files in bind9, so a user could just setup ICS and do either uci set network.lan.dns=ROUGUE_DNS_IP Or edit the /etc/config/dhcp and replace it with the rogue server addy. I'm currently in the process of writing a python script to automate the task of creating DNS zone files in bind9. My goal is to let the user specify a simple url and IP to resolve to. Say hak5.com and gmail.com would resolve to the local listening httpd server (or a remote apache2) depending on the setup. However due to the nature of bind9, every time a change in the server is made (or possibly in a reverse lookup file) a number must be appended and I'm still not quite sure what number it is. I have it working, but only on one bind9 server, haven't tried a different one and need to figure this last bit out before the process can be easily replicated. In this script, I've gotten so far as named.conf, named.conf.local, named.conf.options, a .db zone file, and a reverse lookup file. This however is not the whole task but I'd be more than happy to post what I have of that script if anyone is interested. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.